Learn the most secure method to encrypt your sensitive data prior to storing it in Amazon S3. Compare client-side and server-side encryption options like SSE-C, SSE-KMS, and client-side encryption with customer managed keys.
Table of Contents
Question
A company is migrating an application from an on-premises environment to AWS. The application will store sensitive data in Amazon S3. The company must encrypt the data before storing the data in Amazon S3.
Which solution will meet these requirements?
A. Encrypt the data by using client-side encryption with customer managed keys.
B. Encrypt the data by using server-side encryption with AWS KMS keys (SSE-KMS).
C. Encrypt the data by using server-side encryption with customer-provided keys (SSE-C).
D. Encrypt the data by using client-side encryption with Amazon S3 managed keys.
Answer
A. Encrypt the data by using client-side encryption with customer managed keys.
Explanation
The question states that the sensitive data must be encrypted before storing it in Amazon S3. This requirement can only be met by using client-side encryption, where the data is encrypted by the application before it is sent to S3.
The other options involve server-side encryption, where Amazon S3 encrypts the data after receiving it:
- Option B uses SSE-KMS, where S3 encrypts the data using keys managed by AWS Key Management Service
- Option C uses SSE-C, where S3 encrypts the data using keys provided by the customer
- Option D suggests client-side encryption with Amazon S3 managed keys, but S3 does not manage keys for client-side encryption
Therefore, option A is the only valid solution. Client-side encryption ensures the data is encrypted before ever leaving the application environment and being stored in S3. The customer has full control over the encryption keys used. This provides the highest level of security and maintains the confidentiality of the sensitive data, meeting the stated requirements.
Amazon AWS Certified Solutions Architect – Associate SAA-C03 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Associate SAA-C03 exam and earn Amazon AWS Certified Solutions Architect – Associate SAA-C03 certification.